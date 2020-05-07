I have a set of items stored in a database, each with their own unique name.

On one of my HTML pages, I create a list of buttons that display the name of each item, and when they are clicked, I call a function that passes the name of the item as a parameter.

<div class="large professional-button" onclick="doStuff("itemName", "param2")">itemName</div>

The issue is, these item names are user-generated, so they can be whatever a person wants. This means they have the potential to have single quotes in them, for example: name'with'quotes . I have found that my HTML construction runs into an error when it tries to construct the buttons for any items with quotes in the name. They end up looking something like this:

<div class="large professional-button" onclick="doStuff("name" with'quotes",="" "param2")'="">name'with'quotes</div>

As soon as it hits the first single quotes in the name, it seems to turn them into a space and double-quotes ( " ) and then everything else after that becomes a garbled mess. Any double quotes seem to get converted to " .